RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2024-12-28 18:32:22 +00:00
Code Issues Projects Releases Wiki Activity

4xm: Add a check in decode_i_frame to prevent buffer overreads

Browse Source 
Fixes bugzilla #135

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
This commit is contained in:
Shitiz Garg 2011-12-14 18:29:21 +05:30 committed by Janne Grunau
parent 01a01bf8bd
commit 355d917c0b
1 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
libavcodec/4xm.c
View File

@ -653,9 +653,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
uint16_t *dst= (uint16_t*)f->current_picture.data[0];
const int stride= f->current_picture.linesize[0]>>1;
const unsigned int bitstream_size= AV_RL32(buf);
const int token_count av_unused = AV_RL32(buf + bitstream_size + 8);
unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4);
const uint8_t *prestream= buf + bitstream_size + 12;
int token_count av_unused;
unsigned int prestream_size;
const uint8_t *prestream;
if (length < bitstream_size + 12) {
av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
return AVERROR_INVALIDDATA;
}
token_count = AV_RL32(buf + bitstream_size + 8);
prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
prestream = buf + bitstream_size + 12;
if(prestream_size + bitstream_size + 12 != length
|| bitstream_size > (1<<26)